Re: How to tell if a Linux machine is a zombie?

[Håkon Alstadheim <hakon@alstadheim.priv.no>]

Kamaraju Kusumanchi wrote:
> On Monday 08 January 2007 14:13, Russell L. Harris wrote:
>
>   
> > So, before I preach about the dangers of spyware and zombies to my
> > buddies using Window$, how can I be certain that my own Debian machine
> > has not been compromised and has not become a zombie?  Is there a
> > simple test which I can run on a weekly basis?
> >
> >     
>
> You can use senderbase statistics to see if there is a huge increase in email 
> activity from the IP address under consideration.
>
> For example, if you visit
>
> http://www.senderbase.org/search?searchString=204.13.69.220
>
> It says that on average the machine sends 10^2.9 emails per day. In the last 
> 30 days, it sent 10^3.6 emails per day. Last day (ie yesterday) it sent 
> 10^4.9 emails. The trend clearly indiciates that there has been an increase 
> in email activity which might correlate with the machine being a zombie.
>
> This is not a fool proof test. But I have seen people being referred to this 
> website on spamcop forums, news groups.
>
>   
Also check dshield to see if your machine has tried to get in anywhere. 
Go to http://www.dshield.org/ipinfo.html?ip=<your.ip.add.ress>.

Some entries are benign noise, but if you see several thousand hits on 
port 22, you are probably owned.